PDA

View Full Version : Does my OpenSSH Need Upgraded ref:CVE-2007-4752



ekoforever
05-May-2015, 19:43
I'm trying to resolve some known vulnerabilities and I'm running SLES 11 Patchlevel 2. I can see that I'm currently using OpenSSH version 4.3. According to CVE-2007-4752, ssh in OpenSSH before version 4.7 is vulnerable but I wasn't sure if the bug had been fixed in a prior release and not affected SLES verion 11 and beyond. Can anyone help out? Do I need to download and install a newer openSSH version?

I've done some searching and would appreciate any help that is provided.

Thanks!

ekoforever
05-May-2015, 19:46
Just to add as I forgot.

The below link is from the Mailinglist Archive where it says the vulnerability was addressed. Just not sure if I still need to upgrade.

http://lists.opensuse.org/opensuse-security-announce/2007-10/msg00008.html


Thanks,

ab
05-May-2015, 19:56
2007 was a long time ago, and SUSE fixed it a long time ago:

https://www.suse.com/security/cve/CVE-2007-4752.html


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ekoforever
05-May-2015, 20:18
So from the page that you sent me in the "List of Released Packages" are the products the operating systems versions that were vulnerable at one time? I had seen that page previously and was just trying to figure out if that is what that meant.

Thanks again!

mikewillis
05-May-2015, 20:18
I'm trying to resolve some known vulnerabilities and I'm running SLES 11 Patchlevel 2. I can see that I'm currently using OpenSSH version 4.3. According to CVE-2007-4752, ssh in OpenSSH before version 4.7 is vulnerable but I wasn't sure if the bug had been fixed in a prior release and not affected SLES verion 11 and beyond. Can anyone help out? Do I need to download and install a newer openSSH version?

I've done some searching and would appreciate any help that is provided.

Thanks!


I can't find off hand what version of openSSH SLES 11 SP2 shipped with but I doubt it was 4.3 given that was released in 2006, SLES 11 was released 2010 and SP2 in 2012. The first update to openSSH released for SP2 was in March 2012 and was openssh-5.1p1-41.53.1.

SLES 11 SP2 is out of general support. Unless you have purchased long term service pack support for it there have been no updates in over a year.

Are you certain about the openSSH version and the SLES version?

ab
06-May-2015, 01:43
SLES 11 was originally released in 2009, two years after this was fixed.
I'd be surprised if your version has openssh 4.3 (mine has 6.2 and I'm on
SP3) but if you are sure please share how you determined that. Either
way, having a bug fixed two years before a subsequent version is released
should be a good indicator that the problem cannot exist in the new version.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ab
06-May-2015, 01:43
Forgot to show the lifecycle page which has release dates:

https://www.suse.com/lifecycle/

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

smflood
06-May-2015, 10:27
On 05/05/2015 20:24, mikewillis wrote:

> I can't find off hand what version of openSSH SLES 11 SP2 shipped with
> but I doubt it was 4.3 given that was released in 2006, SLES 11 was
> released 2010 and SP2 in 2012. The first update to openSSH released for
> SP2 was in March 2012 and was openssh-5.1p1-41.53.1.

SLES11 SP2 included openssh-5.1p1-41.51.1

> SLES 11 SP2 is out of general support. Unless you have purchased long
> term service pack support for it there have been no updates in over a
> year.
>
> Are you certain about the openSSH version and the SLES version?

I did wonder if thie OP is using openSUSE 11.2 but I think even that has
a later version of openSSH than 4.3.

Perhaps the OP could provide the output from both "cat /etc/*release"
and "rpm -qa openssh*" to help clear up any confusion.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

ekoforever
06-May-2015, 13:19
"cat /etc/*release" provides:
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 2

"rpm -qa openssh*" provides:
openssh-5.1p1-41.57.1

Initially my problem was that I was deriving the ssh version incorrectly. I had been checking the wrong host. Thanks for your assistance on finding this.